From 4b5520145969222e6482e4552e49e96cc7d9bd97 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 14 Mar 2023 13:13:14 +1100
Subject: [PATCH 1/2] When signing with a new algorithm preserve NSEC/NSEC3
 chains

If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them.  If there are no chains then use
kasp setting otherwise generate an NSEC chain.
---
 bin/tests/system/nsec3/tests.sh |  6 ------
 lib/dns/zone.c                  | 34 ++++++++++++++++-----------------
 2 files changed, 17 insertions(+), 23 deletions(-)

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 1646e89d6b..9d9fec20bb 100644
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -421,12 +421,6 @@ then
 	set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
 	set_key_default_values "KEY2"
 	echo_i "check zone ${ZONE} after reconfig"
-
-	ret=0
-	wait_for_log 10 "zone $ZONE/IN (signed): wait building NSEC3 chain until NSEC only DNSKEYs are removed" ns3/named.run || ret=1
-	test "$ret" -eq 0 || echo_i "failed"
-	status=$((status+ret))
-
 	check_nsec
 
 	# Zone: nsec3-to-rsasha1.kasp.
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1c10265aa2..7444fb29e3 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9197,23 +9197,23 @@ zone_sign(dns_zone_t *zone) {
 		   use_kasp ? "yes" : "no");
 
 	/* Determine which type of chain to build */
-	if (use_kasp) {
-		build_nsec3 = dns_kasp_nsec3(kasp);
-		if (!dns_zone_check_dnskey_nsec3(zone, db, version, NULL,
-						 (dst_key_t **)&zone_keys,
-						 nkeys))
-		{
-			dnssec_log(zone, ISC_LOG_INFO,
-				   "wait building NSEC3 chain until NSEC only "
-				   "DNSKEYs are removed");
-			build_nsec3 = false;
-		}
-		build_nsec = !build_nsec3;
-	} else {
-		CHECK(dns_private_chains(db, version, zone->privatetype,
-					 &build_nsec, &build_nsec3));
-		/* If neither chain is found, default to NSEC */
-		if (!build_nsec && !build_nsec3) {
+	CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec,
+				 &build_nsec3));
+	if (!build_nsec && !build_nsec3) {
+		if (use_kasp) {
+			build_nsec3 = dns_kasp_nsec3(kasp);
+			if (!dns_zone_check_dnskey_nsec3(
+				    zone, db, version, NULL,
+				    (dst_key_t **)&zone_keys, nkeys))
+			{
+				dnssec_log(zone, ISC_LOG_INFO,
+					   "wait building NSEC3 chain until "
+					   "NSEC only DNSKEYs are removed");
+				build_nsec3 = false;
+			}
+			build_nsec = !build_nsec3;
+		} else {
+			/* If neither chain is found, default to NSEC */
 			build_nsec = true;
 		}
 	}

From aafcb8611c387615b6e7dc0aad8622e9252f9665 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 14 Mar 2023 13:32:47 +1100
Subject: [PATCH 2/2] Add CHANGES for [GL #3937]

---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index f7ab1c7fd9..de6ee4351a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6124.	[bug]		When changing from a NSEC3 capable DNSSEC algorithm to
+			an NSEC3 incapable DNSSEC algorithm using KASP the zone
+			could sometimes be incompletely signed. [GL #3937]
+
 6123.	[placeholder]
 
 6122.	[func]		BIND now requires liburcu for lock-free data structures